Date: Mon, 23 Oct 2000 15:25:02 -0700 From: "Crist J . Clark" <cjclark@reflexnet.net> To: Kirk Brogdon <kirk@alaptech.com> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: natd / tcpdump diag question Message-ID: <20001023152502.M75251@149.211.6.64.reflexcom.com> In-Reply-To: <20001023131959.A212@bsd1.alaptech.com>; from kirk@alaptech.com on Mon, Oct 23, 2000 at 01:19:59PM -0800 References: <20001023131959.A212@bsd1.alaptech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Oct 23, 2000 at 01:19:59PM -0800, Kirk Brogdon wrote: > This is a repost from a week or so ago with some updated info. . . . > > 4.1.1 Stable > cable modem on fxp0 > lan on rl0 (3 Win98 boxes) > > I started getting flooded with the "natd[]: failed to write packet > back, (host is down) messages. I found some archives where Crist Clark > said to run tcpdump on the interface and look for arps that weren't > getting an answer. I tried that first on the outside net I/F (fxp0 > in my case) since that is how I have the natd interface configured > in rc.conf (natd_interface="fxp0"). This gave me what appeared to > be every arp request for the cable network. I then tried the > tcpdump on my lan I/F (rl0) and got the following: > > 11:31:47.774308 arp who-has 132.17.0.60 (3:0:0:0:a1:26) tell 132.17.0.6 > 11:32:05.846045 arp who-has bsd1.alaptech.com tell alap2.alaptech.com > 11:32:05.846078 arp reply bsd1.alaptech.com is-at 0:e0:29:70:43:5d > 11:32:17.774797 arp who-has 132.17.0.60 (3:0:0:0:a1:26) tell 132.17.0.6 > 11:32:47.774879 arp who-has 132.17.0.60 (3:0:0:0:a1:26) tell 132.17.0.6 > 11:33:17.775523 arp who-has 132.17.0.60 (3:0:0:0:a1:26) tell 132.17.0.6 > > I have no idea who 132.17.0.60 is nor why I would see the requests > on my lan I/F. I did a traceroute on that IP and got as far as > 132.17.120.11 (about 18 hops). If I try and ping 132.17.0.60, it > is refused (I assume it is behind a firewall). > > I did disconnect the lan from the FBSD box and the messages stopped. > I was able to track it down to one Win98 machine (by trial and error) > but I still don't get it. The mac is not the same as what is in > that box (according to Win98 anyway) nor is the IP. The Win98 box > seems to be working fine. Why would it be generating these arp > requests over and over? Is the card bad? Is someone doing bad > things to me? This is really neat. From what I can find, 03:00:00 is not assigned to any vendor for use in MAC addresses. It looks like that machine is crafting the whole frame. As for that address, $ whois -a 132.17.0.6 Lindsey Air Station (NET-LINDSEY) GERMANY Netname: LINDSEY Netnumber: 132.17.0.0 Coordinator: Boyles, Steve (SB152-ARIN) wingtcf@RAMSTEIN2-EMH.AF.MIL (DSN) 314-339-3230 Record last updated on 12-Jul-1996. Database last updated on 23-Oct-2000 06:19:18 EDT. The ARIN Registration Services Host contains ONLY Internet Network Information: Networks, ASN's, and related POC's. Please use the whois server at rs.internic.net for DOMAIN related Information and whois.nic.mil for NIPRNET Information. Looks like a US Air Force base in Germany. I'd keep an eye out for black helicopters. You might consider firing up an IDS on your LAN there and seeing what is going on. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001023152502.M75251>